Closed Bug 1768734 Opened 3 years ago Closed 3 years ago

use-after-poison in [@ JS::HeapValuePostWriteBarrier]

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 101+ fixed
firefox100 --- wontfix
firefox101 + fixed
firefox102 + fixed

People

(Reporter: tsmith, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main101+r][adv-esr91.10+r])

Attachments

(2 files)

Bug 1768734 - Make sure JS holders are cleared before a shutdown GC r?mccr8
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
Bug 1768734 - Make sure JS holders are cleared before a shutdown GC (ESR) r=mccr8
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review

Found while fuzzing m-c 20220510-58a6343ab33d (--enable-address-sanitizer --enable-fuzzing)

The test case is currently be reduced. Since it is not 100% relaible it may take some time. In the mean time I will try to get a Pernosco session.

==32040==ERROR: AddressSanitizer: use-after-poison on address 0x7feda3d00000 at pc 0x7fedcbcb90e0 bp 0x7feda41e6e90 sp 0x7feda41e6e88
READ of size 8 at 0x7feda3d00000 thread T26 (DOM Worker)
    #0 0x7fedcbcb90df in storeBuffer /gecko/js/src/gc/Cell.h:362:65
    #1 0x7fedcbcb90df in postBarrier /gecko/js/src/gc/Barrier.h:392:33
    #2 0x7fedcbcb90df in JS::HeapValuePostWriteBarrier(JS::Value*, JS::Value const&, JS::Value const&) /gecko/js/src/gc/Barrier.cpp:189:3
    #3 0x7fedbd8f6e57 in postWriteBarrier /builds/worker/workspace/obj-build/dist/include/js/Value.h:1189:5
    #4 0x7fedbd8f6e57 in postWriteBarrier /builds/worker/workspace/obj-build/dist/include/js/RootingAPI.h:376:5
    #5 0x7fedbd8f6e57 in set /builds/worker/workspace/obj-build/dist/include/js/RootingAPI.h:360:5
    #6 0x7fedbd8f6e57 in set /builds/worker/workspace/obj-build/dist/include/js/Value.h:1285:34
    #7 0x7fedbd8f6e57 in setUndefined /builds/worker/workspace/obj-build/dist/include/js/Value.h:1290:25
    #8 0x7fedbd8f6e57 in ClearJSHolder::Trace(JS::Heap<JS::Value>*, char const*, void*) const /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1478:11
    #9 0x7fedbd8ed1e3 in RemoveJSHolder /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1522:13
    #10 0x7fedbd8ed1e3 in mozilla::cyclecollector::DropJSObjectsImpl(void*) /gecko/xpcom/base/HoldDropJSObjects.cpp:36:7
    #11 0x7fedc4fabeb3 in Drop /builds/worker/workspace/obj-build/dist/include/mozilla/HoldDropJSObjects.h:50:5
    #12 0x7fedc4fabeb3 in DropJSObjects<mozilla::dom::IDBRequest> /builds/worker/workspace/obj-build/dist/include/mozilla/HoldDropJSObjects.h:79:3
    #13 0x7fedc4fabeb3 in mozilla::dom::IDBRequest::~IDBRequest() /gecko/dom/indexedDB/IDBRequest.cpp:67:3
    #14 0x7fedc4fadc9d in mozilla::dom::IDBOpenDBRequest::~IDBOpenDBRequest() /gecko/dom/indexedDB/IDBRequest.cpp:326:39
    #15 0x7fedc33f8777 in mozilla::DOMEventTargetHelper::Release() /gecko/dom/events/DOMEventTargetHelper.cpp:86:1
    #16 0x7fedbd908b97 in ~nsCOMPtr_base /gecko/xpcom/base/nsCOMPtr.h:328:7
    #17 0x7fedbd908b97 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::SegmentImpl<509ul>::~SegmentImpl() /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:78:21
    #18 0x7fedbd908947 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SegmentedVector.h:246:14
    #19 0x7fedbd8e7cbc in mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:2770:15
    #20 0x7fedbd8e89f2 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1707:17
    #21 0x7fedbd8e91a9 in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSContext::DeferredFinalizeType) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1783:24
    #22 0x7fedbd8e5865 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1855:7
    #23 0x7fedcbce466f in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:3659:3
    #24 0x7fedcbce5768 in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:3634:32
    #25 0x7fedcbce5768 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3738:1
    #26 0x7fedcbce6e60 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3917:9
    #27 0x7fedcbcaddb6 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /gecko/js/src/gc/GC.cpp:3994:3
    #28 0x7fedcb555148 in JSRuntime::destroyRuntime() /gecko/js/src/vm/Runtime.cpp:284:8
    #29 0x7fedcb32b84f in js::DestroyContext(JSContext*) /gecko/js/src/vm/JSContext.cpp:238:7
    #30 0x7fedbd8d05a1 in mozilla::CycleCollectedJSContext::~CycleCollectedJSContext() /gecko/xpcom/base/CycleCollectedJSContext.cpp:110:3
    #31 0x7fedc55f84f3 in ~WorkerJSContext /gecko/dom/workers/RuntimeService.cpp:836:3
    #32 0x7fedc55f84f3 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:463:5
    #33 0x7fedc55f84f3 in mozilla::UniquePtr<mozilla::dom::WorkerJSContext, mozilla::DefaultDelete<mozilla::dom::WorkerJSContext> >::reset(mozilla::dom::WorkerJSContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:305:7
    #34 0x7fedc55f4d6b in ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253:18
    #35 0x7fedc55f4d6b in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2092:5
    #36 0x7fedbdb06ede in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #37 0x7fedbdb1081c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #38 0x7fedbf20f7f5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #39 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #40 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #41 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #42 0x7fedbdafeaab in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #43 0x7fede2ed857e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #44 0x7fede3b17608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
    #45 0x7fede36de162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7feda3d00000 is located 2048 bytes to the right of 393216-byte region [0x7feda3c9f800,0x7feda3cff800)
freed by thread T14 (DOM Worker) here:
    #0 0x55c70d3e8262 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7fedbd93dec3 in free_<mozilla::detail::HashTable<PtrInfo *const, mozilla::HashSet<PtrInfo *, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::FakeSlot> /builds/worker/workspace/obj-build/dist/include/mozilla/AllocPolicy.h:116:5
    #2 0x7fedbd93dec3 in freeTable /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1679:18
    #3 0x7fedbd93dec3 in mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::changeTableSize(unsigned int, mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::FailureBehavior) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1865:5
    #4 0x7fedbd91d1a6 in remove /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:2222:5
    #5 0x7fedbd91d1a6 in remove /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:635:33
    #6 0x7fedbd91d1a6 in CCGraph::RemoveObjectFromMap(void*) /gecko/xpcom/base/nsCycleCollector.cpp:840:17
    #7 0x7fedbd92d3ca in nsCycleCollector::RemoveObjectFromGraph(void*) /gecko/xpcom/base/nsCycleCollector.cpp:3659:10
    #8 0x7fedbd93b924 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /gecko/xpcom/base/nsCycleCollector.cpp:2413:19
    #9 0x7fedbd924952 in SnowWhiteKiller::~SnowWhiteKiller() /gecko/xpcom/base/nsCycleCollector.cpp:2406:7
    #10 0x7fedbd923eee in nsCycleCollector::FreeSnowWhite(bool) /gecko/xpcom/base/nsCycleCollector.cpp:2596:3
    #11 0x7fedbd92869a in nsCycleCollector_dispatchDeferredDeletion /gecko/xpcom/base/nsCycleCollector.cpp:3869:9
    #12 0x7fedbd92869a in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3092:3
    #13 0x7fedbd92b7a5 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3440:26
    #14 0x7fedbd92ecb2 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3911:28
    #15 0x7fedc55f607d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /gecko/dom/workers/RuntimeService.cpp:793:11
    #16 0x7fedbd8e58a0 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1865:3
    #17 0x7fedcbce466f in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:3659:3
    #18 0x7fedcbce5768 in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:3634:32
    #19 0x7fedcbce5768 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3738:1
    #20 0x7fedcbce6e60 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3917:9
    #21 0x7fedcbcaddb6 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /gecko/js/src/gc/GC.cpp:3994:3
    #22 0x7fedc55f49b6 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2063:7
    #23 0x7fedbdb06ede in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #24 0x7fedbdb1081c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #25 0x7fedbf20f7f5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #26 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #27 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #28 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #29 0x7fedbdafeaab in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #30 0x7fede2ed857e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #31 0x7fede3b17608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T14 (DOM Worker) here:
    #0 0x55c70d3e850e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fedbd93ddc7 in createTable /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h
    #2 0x7fedbd93ddc7 in mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::changeTableSize(unsigned int, mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::FailureBehavior) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1842:22
    #3 0x7fedbd9457aa in bool mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::add<PtrInfo*&>(mozilla::detail::HashTable<PtrInfo* const, mozilla::HashSet<PtrInfo*, PtrToNodeHashPolicy, mozilla::MallocAllocPolicy>::SetHashPolicy, mozilla::MallocAllocPolicy>::AddPtr&, PtrInfo*&) /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:2121:30
    #4 0x7fedbd91f30c in add<PtrInfo *&> /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:614:18
    #5 0x7fedbd91f30c in CCGraphBuilder::AddNode(void*, nsCycleCollectionParticipant*) /gecko/xpcom/base/nsCycleCollector.cpp:1993:29
    #6 0x7fedbd8e4d95 in mozilla::CycleCollectedJSRuntime::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:978:11
    #7 0x7fedbd8e6b97 in mozilla::CycleCollectedJSRuntime::TraverseRoots(nsCycleCollectionNoteRootCallback&) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1551:3
    #8 0x7fedbd92c1b2 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3612:19
    #9 0x7fedbd92b61c in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3412:9
    #10 0x7fedbd92ecb2 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3911:28
    #11 0x7fedc55f607d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /gecko/dom/workers/RuntimeService.cpp:793:11
    #12 0x7fedbd8e58a0 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1865:3
    #13 0x7fedcbce466f in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:3659:3
    #14 0x7fedcbce5768 in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:3634:32
    #15 0x7fedcbce5768 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3738:1
    #16 0x7fedcbce6e60 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3917:9
    #17 0x7fedcbcaddb6 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /gecko/js/src/gc/GC.cpp:3994:3
    #18 0x7fedc55f49b6 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2063:7
    #19 0x7fedbdb06ede in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #20 0x7fedbdb1081c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #21 0x7fedbf20f7f5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #22 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #23 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #24 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #25 0x7fedbdafeaab in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #26 0x7fede2ed857e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #27 0x7fede3b17608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8

Thread T26 (DOM Worker) created by T0 (Isolated Servic) here:
    #0 0x55c70d3d1a6c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7fede2ec862c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fede2eb99ce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fedbdb01d55 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:604:18
    #4 0x7fedc5643532 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7fedc55cf205 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1306:37
    #6 0x7fedc55cdfaf in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1182:19
    #7 0x7fedc5616820 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2529:24
    #8 0x7fedc5652833 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:449:41
    #9 0x7fedc568982a in operator() /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:306:29
    #10 0x7fedc568982a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #11 0x7fedbdad2f7f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #12 0x7fedbdb1fcf2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
    #13 0x7fedbdae5d45 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:780:26
    #14 0x7fedbdae2ef8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:612:15
    #15 0x7fedbdae3620 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
    #16 0x7fedbdb28874 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
    #17 0x7fedbdb28874 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #18 0x7fedbdb066b7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
    #19 0x7fedbdb1081c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #20 0x7fedbf20e144 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #21 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #22 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #23 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #24 0x7fedc5ee7ec7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7fedcada4c7f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:874:20
    #26 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #27 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #28 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #29 0x7fedcada3e2b in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #30 0x55c70d425b9d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x55c70d425fd0 in main /gecko/browser/app/nsBrowserApp.cpp:329:18
    #32 0x7fede35e30b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T14 (DOM Worker) created by T0 (Isolated Servic) here:
    #0 0x55c70d3d1a6c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7fede2ec862c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fede2eb99ce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fedbdb01d55 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:604:18
    #4 0x7fedc5643532 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7fedc55cf205 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1306:37
    #6 0x7fedc55cdfaf in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1182:19
    #7 0x7fedc5616820 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2529:24
    #8 0x7fedc5652833 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:449:41
    #9 0x7fedc568982a in operator() /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:306:29
    #10 0x7fedc568982a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #11 0x7fedbdad2f7f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #12 0x7fedbdb1fcf2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:467:16
    #13 0x7fedbdae5d45 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:780:26
    #14 0x7fedbdae2ef8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:612:15
    #15 0x7fedbdae3620 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:390:36
    #16 0x7fedbdb28874 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
    #17 0x7fedbdb28874 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #18 0x7fedbdb066b7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
    #19 0x7fedbdb1081c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #20 0x7fedbf20e144 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #21 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #22 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #23 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #24 0x7fedc5ee7ec7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7fedcada4c7f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:874:20
    #26 0x7fedbf085c31 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #27 0x7fedbf085c31 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #28 0x7fedbf085c31 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #29 0x7fedcada3e2b in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #30 0x55c70d425b9d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x55c70d425fd0 in main /gecko/browser/app/nsBrowserApp.cpp:329:18
    #32 0x7fede35e30b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

This looks like an internal cycle collector issue.

Hmm maybe it could be an indexed DB issue. The use is inside a GC barrier, which probably indicates that it is a JS thing. Does mResultVal or some other field need to be cleared when we unlink?

No, that's not right. Something weird is definitely happening.

Well, I just noticed that the read and the free are on different DOM worker threads, which explains why the types don't really make sense. The read is poking at a GC cell, where the free is some internal hashtable used by the CC.

Tyson is capturing a pernosco session and trying to reduce the testcase

Keywords: testcase-wanted

A Pernosco session is available here: https://pernos.co/debug/hlfUo8NeofoRK7PV6dOwCA/index.html

I poked at this Pernosco session a bit. Hopefully that link works. The "values of memory address" is 0x61100006eb80 which is the IDBRequest here.

We're in the middle of destroying a worker JS runtime. We've already run IDBOpenDBRequest_Binding::_finalize from foregroundFinalize, which happens during sweeping. That clears the wrapper and the reserved slot, but it doesn't clear mResultVal. Then later, as seen in comment 0, we're running the deferred finalizer. We're clearing the mResultVal field, which runs a post barrier, and that's in the middle of poking at some GC data structure when we crash.

My guess is that mResultVal is pointing at a cell that was destroyed during sweeping. Steve, do we destroy arena or whatever during sweeping before we run the GC callback where we run the deferred finalizers?

I don't see why that isn't the case, but I don't understand why we don't see this issue all of the time. If we usually do a CC unlink before we finalize (which will happen whenever there's a preserved wrapper), then we shouldn't hit this issue. I'm not sure what combination of things is causing us to not have a preserved wrapper, but we do have a JS pointer, and this only happens in odd circumstances.

Flags: needinfo?(sphink)

It kind of feels like we have to run DropJSObjects in the finalizer, so we'll be sure to clear all of our JS gunk out of the object, and not just the wrapper. I'm not an expert on barriers, but checking if the cell is still alive doesn't feel like it is something we can do in there.

I still don't understand why ASan thinks the free stack comes from some other worker thread. Maybe ASan doesn't understand how we free our GC chunks, which would be bad.

(In reply to Andrew McCreight [:mccr8] from comment #9)

I still don't understand why ASan thinks the free stack comes from some other worker thread. Maybe ASan doesn't understand how we free our GC chunks, which would be bad.

The error in comment 0 is a "use-after-poison". I don't understand where the free stack comes from here, because this type of error normally does not emit additional stacks at all (neither a free stack nor a stack where it was poisoned, which is unfortunate).

So I did some local experimenting an it turns out that a free stack is emitted if the memory is freed first, then poisoned without being re-allocated it seems. So it could be that the free stack is unrelated to the actual issue here.

Thanks for the explanation. I was going to email you asking about that. It seems unfortunate that ASan doesn't show the stack for the poison. Maybe there's also some issue with how the GC allocator is marking things as allocated vs marking them as poisoned.

Ok, I'm pretty fuzzy on this stuff, but my understanding is:

We call DeferredFinalize when we need some finalization to happen when things are at a safe point, to avoid things like trying to GC or run barriers from within a (non-deferred) finalizer. In general, it's dangerous to run random destructors from finalizers since they could do arbitrary things, potentially reading/writing various GC pointers that may no longer be alive. So this seems like a good use of DeferredFinalize to me.

ClearJSHolder is clearing out GC pointer fields and triggering post-write barriers in the process. Which makes sense -- if it was a pointer into the nursery, then there will be a record in the store buffer that we can remove now since we know that it won't need to be updated anymore during a minor GC. We don't have to remove it, since when we scan the store buffer next we'll just see that it's nullptr or UndefinedValue or whatever, but it saves some space and time scanning over it. So the basic code seems fine.

This appears to be a GC shutdown crash: we do a shutdown GC after releasing various roots that would normally keep things alive. That GC collects an object that calls IDBOpenDBRequest_Binding::_finalize, which enqueues a deferred finalizer. The GC finishes, all the GC memory has now been released, then in the post-GC callback we run the deferred finalizer that accesses some GC memory. Fall down go boom.

I'll suggest a fix, but I suspect we have a general rule about this. I'll needinfo jonco for that.

One fix would be to skip queueing up a deferred finalizer in _finalize if we're doing a shutdown GC. If that's the fix, then we probably ought to assert either that there are no deferred finalizers after doing a shutdown GC, or if that's too restrictive, have an assert that we don't DropJSObjects after the GC has been shut down. Or we could use a bigger hammer: skip the post-GC callback entirely on a shutdown GC. But again, that could prevent legitimate cleanup that doesn't need to look at GC memory.

I'm hoping somebody has thought through all this already.

Flags: needinfo?(sphink) → needinfo?(jcoppeard)

This is an interesting bug. What is supposed to happen is that in a shutdown GC GCRuntime::finishRoots traces the embedding's gray roots with a ClearEdgesTracer, which sets this to undefined at the start of GC. If that had happened, it wouldn't matter whether this was accessed later on by a deferred finalizer.

Previously this was optimised to trace only gray roots in collecting zones, but
there was a bug in that it also skipped clearing roots because this happens
before the start of GC when zones are selected for collection.

Instead, make sure we only perform this optimsiation when marking.

Assignee: nobody → jcoppeard
Status: NEW → ASSIGNED
Flags: needinfo?(jcoppeard)

Hi :jonco, am I assuming right that the component of this bug is actually XPCOM?

Flags: needinfo?(jcoppeard)

I'm not sure what the right component is precisely, but IndexedDB is not right.

Component: Storage: IndexedDB → XPCOM
Flags: needinfo?(jcoppeard)
Regressed by: 1425450

Set release status flags based on info from the regressing bug 1425450

status-firefox100: --- → affected
status-firefox101: --- → affected
status-firefox-esr91: --- → affected
Has Regression Range: --- → yes

It is kind of too late now, but you should have gotten sec-approval before landing this. I guess sec-high might be a little too high of a rating, given that this was apparently around for 2 years before fuzzing found it, so it probably doesn't really matter.

tracking-firefox101: --- → ?
tracking-firefox102: --- → ?
tracking-firefox-esr91: --- → ?

(In reply to Andrew McCreight [:mccr8] from comment #18)
Ah, sorry, I thought this was sec-moderate but that must have been the other bug I was looking at.

Make sure JS holders are cleared before a shutdown GC r=mccr8
https://hg.mozilla.org/integration/autoland/rev/0b0b6c707f5b3730a58c57d99dcd4d6808360217
https://hg.mozilla.org/mozilla-central/rev/0b0b6c707f5b

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

This will need a rebased patch for ESR91.

status-firefox100: affectedwontfix
tracking-firefox101: ?+
tracking-firefox102: ?+
tracking-firefox-esr91: ?101+
Flags: needinfo?(jcoppeard)

Comment on attachment 9276927 [details]
Bug 1768734 - Make sure JS holders are cleared before a shutdown GC r?mccr8

Beta/Release Uplift Approval Request

  • User impact if declined: Possible shutdown crash
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a simple change that removes an optimisation in some circumstances, so it's unlikely to cause a problem if it's wrong (only slow collections a little).
  • String changes made/needed: None
  • Is Android affected?: Yes
Flags: needinfo?(jcoppeard)
Attachment #9276927 - Flags: approval-mozilla-beta?

Comment on attachment 9276927 [details]
Bug 1768734 - Make sure JS holders are cleared before a shutdown GC r?mccr8

Approved for 101.0b9.

Attachment #9276927 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Please attach a rebased patch for ESR91 and request approval when you get a chance.

Flags: needinfo?(jcoppeard)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

Comment on attachment 9277766 [details]
Bug 1768734 - Make sure JS holders are cleared before a shutdown GC (ESR) r=mccr8

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fix for sec-high bug.
  • User impact if declined: Possible crash / security vulnerability.
  • Fix Landed on Version: 102
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a simple change that removes an optimisation in some situations.
Flags: needinfo?(jcoppeard)
Attachment #9277766 - Flags: approval-mozilla-esr91?

Comment on attachment 9277766 [details]
Bug 1768734 - Make sure JS holders are cleared before a shutdown GC (ESR) r=mccr8

Approved for 91.10esr, thanks.

Attachment #9277766 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main101+r]
Whiteboard: [post-critsmash-triage][adv-main101+r] → [post-critsmash-triage][adv-main101+r][adv-esr91.10+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: